Configuring RADIUS Servers for Non-Local Gaia Users

Non-local users can be defined on a RADIUS server and not in Gaia. When a non-local user logs in to Gaia, the RADIUS server authenticates the user and assigns the applicable permissions. You must configure the RADIUS server to correctly authenticate and authorize non-local users.

Note - If you define a RADIUS user with a null password (on the RADIUS server), Gaia cannot authenticate that user.

To configure a RADIUS server for non-local Gaia users:

In addition, see sk72940.

Step	Instructions
1	Copy the applicable dictionary file to your RADIUS server.
	Examples:
	Steel-Belted RADIUS server: Copy this file from the Gaia to the RADIUS server: `/etc/radius-dictionaries/checkpoint.dct` Add these lines to the `vendor.ini` file on the RADIUS server (keep in alphabetical order with the other vendor products in this file): `vendor-product = Check Point Gaia` `dictionary = nokiaipso` `ignore-ports = no` `port-number-usage = per-port-type` `help-id = 2000` Add this line to the `dictiona.dcm` file: `"@checkpoint.dct"`
	FreeRADIUS server: Copy this file from the Gaia to the RADIUS server to the `/etc/freeradius/` directory: `/etc/radius-dictionaries/dictionary.checkpoint` Add this line to the `/etc/freeradius/dictionary` file: `"$INCLUDE dictionary.checkpoint"`
	OpenRADIUS server: Copy this file from the Gaia to the RADIUS server to the `/etc/openradius/subdicts/` directory: `/etc/radius-dictionaries/dict.checkpoint` Add this line `/etc/openradius/dictionaries` file immediately after the `dict.ascend`: `$include subdicts/dict.checkpoint`
2	Define the user roles on Gaia. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file: `CP-Gaia-User-Role = "role1,role2,...` For example: `CP-Gaia-User-Role = "adminrole, backuprole, securityrole"`
3	Define the Check Point users that must have superuser access to the Gaia shell. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file: If this user should not receive superuser permissions: `CP-Gaia-SuperUser-Access = 0` If this user can receive superuser permissions: `CP-Gaia-SuperUser-Access = 1`

To log in as a superuser:

A user with super user permissions can use the Gaia shell to do system-level operations, including working with the file system. Super user permissions are defined in the Check Point Vendor-Specific Attributes.

Users that have a UID of 0 have super user permissions. They can run all the commands that the root user can run. Users that have a UID of 96 must run the sudo command to get super user permissions. The UIDs of all non-local users are defined in the /etc/passwd file.

To get super user permissions (for users that have a UID of 96):

Step	Description
1	Connect to the command line on Gaia.
2	Log in to Expert mode.
3	Run: `sudo /usr/bin/su -` The user now has superuser permissions.

Step

Description

Connect to the command line on Gaia.

Run:

sudo /usr/bin/su -

The user now has superuser permissions.